DSPT for Care Homes: Evidence Requirements Explained
As a care home registered manager, the DSPT is one of several annual compliance obligations competing for your time alongside CQC inspections, staffing, safeguarding, and day-to-day operations. This guide cuts through the generic advice and focuses specifically on what care homes — residential and nursing — need to submit.
Care homes fall under Category 3 in the DSPT, which has approximately 42 mandatory evidence items across the 10 National Data Guardian standards. You don't need an independent audit (that's Categories 1 and 2 only), but your evidence needs to be current, specific, and actually uploaded to the portal by 30 June 2026.
Care home-specific challenges
Care homes face DSPT challenges that pharmacies and GP practices don't:
- High staff turnover. A care home with 30 staff may see 10+ starters and leavers per year. Every one of those changes means training records to track and system access to manage.
- Mixed IT literacy. Staff range from nurses comfortable with clinical systems to care assistants who primarily use paper. Getting everyone through online data security training requires coordination.
- Agency and bank staff. Temporary staff need data security training too. Getting certificates from agencies — or requiring completion of your own training — adds administrative overhead.
- Multiple access points. Medication administration records (MAR charts), care plans, resident information, NHSmail — several systems hold personal data, often accessed by different staff groups.
- No dedicated IT. Most care homes under 60 beds don't have an IT department. The registered manager or a deputy handles everything, often with an external IT support company.
Evidence requirements by standard
Here's what Category 3 care homes typically need for each of the 10 NDG standards. This is based on DSPT v8 (2025/26) requirements — always verify against the official portal.
Standard 1: Personal confidential data
What they're asking: Who can access resident data, and is access limited to those who need it?
Evidence you need:
- A list of systems holding resident data (care planning software, NHSmail, paper records)
- Who has access to each system and why
- Confidentiality clauses in employment contracts or signed confidentiality agreements
Care home tip: If your care plans are on a digital system, the system's user management screen showing role-based access counts as evidence. Take a screenshot showing user roles and access levels.
Standard 2: Staff responsibilities
What they're asking: Do staff understand their data security responsibilities?
Evidence you need:
- Data security policy — customised to your care home (not a generic template)
- Evidence that staff have read and acknowledged it (signature sheet, dated)
- Named data protection lead (usually the registered manager)
Care home tip: Annual policy sign-off during team meetings works well. Record the date, attendees, and what was covered. A signed attendance sheet plus meeting minutes is solid evidence.
Standard 3: Training
What they're asking: Has every staff member completed annual data security awareness training?
Evidence you need:
- Training completion records for every member of staff
- Certificates or completion confirmations with dates
- Coverage of temporary/agency staff
Care home tip: This is the evidence item that catches most care homes out. Start sending training in January — not April. The free NHS e-Learning for Healthcare module generates certificates automatically. For staff who struggle with online learning, you can use a supervised group session with the training material on a projector — record attendance and individual acknowledgements.
For agency staff, your options are:
- Ask agencies for data security training certificates for each worker they send
- Include agency workers in your own training sessions
- Require acknowledgement of your data security policy on their first shift
Standard 4: Managing data access
What they're asking: Is access properly controlled and reviewed?
Evidence you need:
- Access control register (who has access to what, and what level)
- Documented joiner/leaver process
- Evidence of regular access reviews
- System administrator account register (new in v8)
Care home tip: Create a simple spreadsheet listing every staff member, the systems they access, their role/access level, and the date access was last reviewed. When someone leaves, update the spreadsheet and remove their access the same day. Screenshot the system's user management screen showing the account has been disabled — that's your evidence.
Standard 5: Process reviews
What they're asking: Are your data security processes regularly reviewed?
Evidence you need:
- Policy review schedule showing when each policy was last reviewed
- Evidence of review (updated dates on policy documents, review notes)
Care home tip: Add a "last reviewed" date and "next review" date to every policy document. Review all data-related policies together annually — data security, acceptable use, retention, breach notification. One annual review session covering all policies is more realistic than reviewing each one individually.
Standard 6: Responding to incidents
What they're asking: Can you detect and respond to data security incidents?
Evidence you need:
- Incident reporting procedure
- Evidence that staff know how to report incidents
- Incident log (even if no incidents have occurred — the log proves the process exists)
Care home tip: Your incident procedure should cover: what counts as a data incident (lost phone, misdirected email, suspected breach), who to report it to (registered manager), and what happens next (assessment, ICO notification if required). If you've had zero incidents, that's fine — the empty log with the procedure attached shows you have a working system.
Standard 7: Continuity planning
What they're asking: What happens if your systems fail?
Evidence you need:
- Business continuity plan covering IT failure, cyber attack, and data loss
- Evidence of plan review or testing
Care home tip: Your BCP for a care home should answer these questions:
- If the care planning system goes down, where are the paper backup MAR charts?
- If NHSmail is unavailable, how do you communicate with GPs and hospitals?
- If you suffer a ransomware attack, who do you call? (Your IT provider, and Action Fraud on 0300 123 2040)
- Where are your offline backups of critical resident information?
A 2-3 page document covering these scenarios is sufficient. You don't need a 50-page disaster recovery plan.
Standard 8: Unsupported systems
What they're asking: Are all your devices running supported software?
Evidence you need:
- IT asset register (hardware and software inventory with OS versions)
- Confirmation that no unsupported operating systems are in use
Care home tip: The "digital asset register" is a new v8 requirement. List every computer, tablet, and phone used by staff, the operating system version, and the key software installed. If your IT provider manages your devices, ask them for this list — most can generate it from their remote management tools.
Check for old Windows 7 or Windows 8 machines that may still be in offices or nurse stations. These are unsupported and need replacing or isolating.
Standard 9: IT protection
What they're asking: Are technical security controls in place?
Evidence you need:
- Firewall configuration confirmation
- Patching/update schedule
- Encryption on devices holding resident data
- Anti-malware/antivirus confirmation
Care home tip: If you have a managed IT provider, ask them for a single assurance letter covering all of these. Most providers can issue a standard statement confirming: firewalls are configured, patches are applied automatically, devices have encryption enabled (BitLocker for Windows, FileVault for Mac), and antivirus is installed and updated.
Standard 10: Accountable suppliers
What they're asking: Do your suppliers meet data security standards?
Evidence you need:
- Supplier assurance statements from IT providers and software vendors
- Data processing agreements (DPAs) with suppliers handling resident data
Care home tip: Your key suppliers are likely: your care planning software provider, your managed IT company, and your NHSmail/clinical system connections. Email each one asking for: (a) their DSPT completion status or equivalent assurance, and (b) a copy of your data processing agreement. Keep these on file — you'll need them every year.
Timeline for care homes
| When | What to do | Time needed |
|---|---|---|
| January | Send staff training, start tracking completions | 1-2 hours |
| February | Audit evidence — what you have vs what you need | 2-3 hours |
| March | Update policies, create asset register | 3-4 hours |
| April | Document access controls, request supplier statements | 2-3 hours |
| May | Chase training completions, upload evidence | 3-4 hours |
| June | Final review and submit | 1-2 hours |
Total: approximately 12-18 hours over 6 months — about 30-45 minutes per week.
Next steps
- Use our evidence checklist generator to get a complete Category 3 checklist
- Check the deadline calculator to see how much time you have
- Read the complete DSPT guide for a broader overview of v8 requirements
- Dive deeper into the evidence requirements by category for the assertion-by-assertion breakdown
This guide is based on DSPT v8 (2025/26) requirements for Category 3 organisations. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.